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A U.S. Joint Forces Command 
Solution to Coalition Interoperability 



S upport to coalition oper¬ 
ations in the future is an 
information assurance chal¬ 
lenge today. Since 1994, little 
has changed in the methods 
and mechanisms we use to pro¬ 
vide information to our allied 
partners. As each coalition op¬ 
eration (Haiti, Somalia, Bosnia, 
Kosovo) comes and goes, the 
lessons learned statements al¬ 
ways cry for improved interop¬ 
erability within the coalition. 
The requirements are well doc¬ 
umented throughout the De¬ 
partment of Defense (DoD). 
Even Joint Vision 2010, the 
DoD road map for the future, 
states, “It is not enough to be 
joint when conducting future 
operations. We must find the 
most effective methods for in¬ 
tegrating and improving inter¬ 
operability with allied and 
coalition partners.” True inter¬ 
operability with our allied part¬ 
ners will come only after we 
have an information exchange 



"Successful completion of the CMHP pro¬ 
ject will require careful transition from risk 
avoidance to risk management in the way 
classified information is managed and safe¬ 
guarded." 

Admiral Harold Geham 
Commander in Chief, 

United States Joint Forces Command 


system designed from the 
ground up for use by coalition 
forces. 

Colonel Dennis Treece’s arti¬ 
cle in the Spring 1999 
lAnewsIetter was right on target 
in describing the shortcomings 
and challenges of releasing and 
disseminating classified mili¬ 
tary information to our multi¬ 
national partners in a coalition 
environment. As Colonel 
Treece says, the “really hard 
part, the Achilles heel’ of coali¬ 
tion information sharing, is the 
mechanism by which any na¬ 
tion transfers information out¬ 
side its own system.” Because 
of valid security policy restric¬ 
tions, we are not allowed to 
connect our Defense networks 
to multinational networks, 
thus creating the need for 
“sneaker nets”—literally, run¬ 
ning the releasable informa¬ 
tion from the U.S. side, across 
an air gap, to the multinational 
side. Anyone who has experi¬ 
enced the pain of this method 
knows its difficulties and limi¬ 
tations. (In 1994, those of us in 
U.S. Atlantic Command had 
our turn when we provided in¬ 
formation support to the 29 
countries involved in Haiti 
peace operations.) 


i Mr. Craig Vroom 
I Mr. Allan H. McClure 

U.S. Joint Forces Command 
(USJFCOM, formerly, U.S. At¬ 
lantic Command) is responsible 
within DoD for joint task force 
(JTF) interoperability. At Joint 
Forces Command, we have em¬ 
barked on building a system for 
secure information exchange. It 
is called the Coalition Multi¬ 
level Security (MLS) Hexagon 
Prototype or CMHP. The CMHP 
is composed of six functions 
that will allow us to exchange 
information with our allies in a 
secure, flexible manner. 

Side 1 of the Hexagon (Fig¬ 
ure 1 on page 4), Marking Stan¬ 
dards, uses the classification 
and control marking standards 
adopted by the U.S. intelli¬ 
gence community. These stan¬ 
dards were coordinated by the 
Controlled Access Program Co¬ 
ordinating Office (CAPCO) and 
continue to be fine-tuned by 
CAPCO as required. 

Side 2 of the Hexagon is 
called Document Marking, 
which is designed to imple¬ 
ment human-readable mark¬ 
ings. Basically, this software 
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coiitJriucd from page 3 

enables the information origi¬ 
nator to mark Microsoft Word, 
PowerPoint, and Excel docu¬ 
ments in accordance with the 
CAPCO and Executive Order 
12958 standards. The marking 
is a simple operation, done 
with the point and click of a 
mouse and made still easier by 
pull-down menus that provide 
choices for basic classification, 
caveats, and “release to” op¬ 
tions for countries, coalitions, 
operations, organizations, and 
exercises. Once the document 
is marked, it is then trans¬ 



Figure 1. Coalition MLS Hexagon 
Prototype 

formed into a “computer-read¬ 
able” label, side 3 of the Hexa¬ 
gon. A digital signature attaches 
the label to the document, 
which is then encrypted and 
sent to the “Coalition Server,” 
an Oracle 8 relational database 
management system. 

Hexagons side 4, Personal 
Authentication, is the linchpin 
of CMHR A personal token 
called a Hexcard allows us to 
identify the user and all of his 
or her security attributes. Much 
as an automated teller machine 
(ATM) card does, the Hexcard 
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will Store a user’s fingerprint 
template and a credential set 
based on his or her clearance 
levels, citizenship, and need-to- 
know roles. Hexcards will be 
inserted into workstation 
smart-card readers to identify 
the user to the system. 

Side 5 of the Hexagon is the 
hardware, including NT work¬ 
stations, fingerprint scanners, 
and smart-card readers, re¬ 
quired for the CMHP. 

Hexagon’s side 6 is Security 
Management. A special staff se¬ 
curity officer must be assigned 
to coordinate system security 
requirements, issue Hexcards 
to CMHP participants, under¬ 
stand the information assur¬ 
ance requirements, and moni¬ 
tor the system for improper 
attempts to access data. 

The Hexagon concept pro¬ 
vides the flexibility required in 
coalition-supported joint task 
force operations by encrypting 
and protecting the object, 
rather than the network. This is 
the key difference between 
CMHP and other multilevel se¬ 
curity (MLS) solutions. Using 
object protection, we can com¬ 
pare the attributes of an indi¬ 
vidual with the objects that re¬ 
side in the server. If there is a 
match, the coalition participant 
can retrieve and decrypt the 
document. 

The CMHP will be tested and 
demonstrated at 
the Joint Battle 
Center (JBC) in 
Suffolk, Virginia, in 
May 2000. The ob¬ 
jective of the 
demonstration will 
be to bring existing 
technologies to¬ 
gether to allow 
users with different 
clearance levels 
from different 


countries to use the same local 
area network and gain access 
only to information they are 
authorized to see. After the 
concept is demonstrated, the 
Joint Battle Center will provide 
an independent assessment of 
the system’s military utility. 

The ultimate goal of the 
Hexagon is to provide the joint 
task force commander a tool 
that increases the effectiveness 
of communications with allied 
or interagency forces. % 

Mr. Craig Vroom is the International 
Programs Branch Chief at U.S. Joint 
Forces Command, located in Norfolk, 
Virginia. He has an undergraduate 
degree in Computer Science from San 
Diego State University and is currently 
participating in DoD*s Defense 
Leadership and Management Program 
(DLAMP). You may reach him via E- 
mail at vroom@jric.jfcom.mil 

Mr. Allan McClure is a Lead Engineer 
supporting the US Joint Forces Command 
Director for Intelligence. During the last 
seven years, he has helped in the imple¬ 
mentation of Intelink and developed a 
collaborative architecture for the Non- 
Proliferation Center, a Director for 
Central Intelligence (DCI) controlled 
activity. He may be reached at amcclure 
@mitre.org. 
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Figure 2. CMHP HexCard 
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USEUCOM 


Information Assurance Conference 


i,;, ,; rigadier General Charles 
I'h'i' E. Groom, director, Unit¬ 
ed States European Command 
(USEUCOM)/J6, hosted USEU- 
COM’s first Information Assur¬ 
ance Conference, 30 Novem¬ 
ber-2 December 1999, at the 
Abrams Center in Garmisch- 
Partenkirchen, Germany. The 
conference had three purposes: 

• To present pressing informa¬ 
tion assurance (lA) issues 
and review associated lA 
products 

• To foster teamwork and syn¬ 
ergy among key lA players 
in the theater 

• To provide the latest lA 
informational updates for 
theater lA personnel. 

Framework 
The conference attracted a 
total of 162 people, represent¬ 
ing Headquarters (HQ) USEU¬ 
COM, U.S. Army Europe (US- 
AREUR), U.S. Air Forces 
Europe (USAFE), US Naval 
Forces Europe (USNAVEUR), 
Marine Forces Europe (MAR- 
FOREUR), Special Operations 
Command Europe (SOCEUR), 
the Defense Information Sys¬ 
tems Agency (DISA), the Na¬ 
tional Security Agency (NSA), 
and other commands, such as 
U.S. Special Operations Com¬ 
mand (USSOCOM), U.S. Pacific 
Command (USPACOM), and 
U.S. Central Command (US- 
CENTCOM), as well as several 


other DoD agencies involved 
in USEUCOM lA. 



Brigadier Genera! Charles E. Groom. 


By design, all levels of lA 
professionals, from enlisted to 
general officer grades, partici¬ 
pated in the sessions. This 
arrangement ensured expres¬ 
sion of various viewpoints at 
the forum and enabled individ¬ 
uals with hands-on working ex¬ 
perience to interact directly 
with policy makers at the high¬ 
est levels. 

Each morning’s general ses¬ 
sion started with a senior-level 
keynote address. The speakers 
were Brigadier General Gary 
Salisbury, DISA/D6: Mr. 
Richard Schaeffer, Office of the 
Secretary of Defense (OSD), 
Command, Control, Communi¬ 
cations, and Intelligence (C3I); 
and Mr. Orville Lewis, NSA/ 
DDI Chief of Staff. All address¬ 
es were followed by extended 
question-and-answer sessions 


that immediately indicated a 
very high level of interest in 
the rapidly developing lA field. 

I Mr. Kent Waller 


Immediately following the 
keynote addresses were gener¬ 
al session presentations from 
theater-specific lA leaders. A 
total of six speakers (two per 
day) from USNAVEUR, HQ 
USEUCQM, USAREUR, USAFE, 
and the North Atlantic Treaty 
Organi 2 ation (NATO) present¬ 
ed issues and fielded ques¬ 
tions. 

The afternoons were divided 
into three in-depth breakout 
tracks in the areas of opera¬ 
tions, computer security 
(COMPUSEC), and communi¬ 
cations security (COMSEC). 
These sessions were smaller in 
number of participants, more 
technical, and more discussion 
oriented than the general ses¬ 
sions. 

Operations discussions fo¬ 
cused primarily on lessons 
learned from Kosovo opera¬ 
tions and plans for future sup¬ 
port. COMPUSEC participants 
dealt with information assur¬ 
ance vulnerability alerts 
(lAVA) issues and discussed the 
technical details of dealing 
with theater-specific threats. 

The COMSEC sessions, 
which were often filled to ca¬ 
pacity, explored the areas of 
key management infrastruc- 

continued on page 6 
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continued from page 5 

ture, software test environ¬ 
ment (STE) migration, Defense 
Message System (DMS) field¬ 
ing, and Global Broadcast Ser¬ 
vice (GBS) fielding. 

Selected special session pre¬ 
senters were invited to display 
products and services particu¬ 
larly associated with USEU- 
GOM lA issues. 

Theater Action Team 

To ensure meaningful con¬ 
ference results, a Theater Ac¬ 
tion Team (TAT) was formed. 
Composed of key lA decision 
makers in the USEUCOM the¬ 
ater and chaired by Brigadier 
General Groom, the TAT met 
each evening to review and de¬ 
bate the many issues raised by 
the breakout tracks. After nar¬ 
rowing the number of issues, 
the team selected 20 action 
items: ranked each item’s pri¬ 
ority as high, medium, or low; 
and assigned each action to a 
primary office of primary re¬ 
sponsibility (OPR) with a dead¬ 
line for accomplishment. 

The TAT results were ex¬ 
tremely well received by all 
conference participants. As a 
result of its success, the con¬ 
ference has led to the develop¬ 


Number 


ment of a new European Infor¬ 
mation Assurance Steering 
Council composed of senior lA 
leaders and aimed at providing 
continuing, unified guidance 
to theater lA personnel. 

Additional 

Information 

All conference materials, in¬ 
cluding the TAT action items, 
attendee lists, and briefings are 
available for download from 
the HQ USEUCOM SIPRNET 
Web site. 

The office with primary re¬ 
sponsibility for the conference 
was the HQ USEUCOM C3I Di¬ 
rectorate’s Defensive Informa¬ 
tion Warfare Division directed 
by Col LaForrest Williams, U.S. 
Air Force (USAF). On behalf of 
Brigadier General Groom, this 
group extends appreciation to 
all the speakers who made the 
conference a success. A 

Mr. Kent Waller is an Information 
Assurance Program Manager for HQ 
United States European Command. He 
earned his B.S. in Engineering from the 
University of Oklahoma in 1986 and his 
Master of Public Administration from 
the University of Oklahoma in 1990. He 
may be reached at wallerkl@eucom.mil. 
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T he Joint Task Force for 
Computer Network De¬ 
fense (JTF-CND) is a new orga¬ 
nization with a new mission: to 
direct the defense of all Depart¬ 
ment of Defense (DoD) com¬ 
puters and networks and the 
information that moves in 
them from any threat, foreign 
or domestic. Our intelligence 
(J2) role on this team resem¬ 
bles any other JTF-level intelli¬ 
gence effort. That mission is to 
provide the commander, the 
JTF-CND staff, and assigned 
components with all-source, 
fused, predictive intelligence 
on enemy locations, capabili¬ 
ties, and intentions. The JTF- 
CND J2 must understand the 
enemy in cyberspace, and 
must provide decision-makers 
with the actionable intelligence 
required to support defensive 
operations. 

That task is easier said than 
done. Those who choose to at¬ 
tack or exploit our information 
systems operate with great 
anonymity in globally inter¬ 
connected networks. Addition¬ 
ally, our adversaries are armed 
with software tools that strike 
at the speed of light, and use 
tactics that are hard to detect in 
the noise of the net. 

Finding the enemy in cyber¬ 
space is also complicated by 
the nature of this new terrain. 
There are few useful charts by 
which to orient us and little 
agreement on what the concept 
of “cyberspace” means. Perhaps 
the most useful definition re¬ 
mains William Gibson’s origi¬ 
nal explanation of the term: 


Cyberspace is “a consensual 
hallucination experienced 
daily by billions... [an] unthink¬ 
able complexity.” Try visualiz¬ 
ing enemy locations in that! 

The adversary may be a ter¬ 
rorist attempting to attack De¬ 
partment of Defense (DoD) 
networks to draw attention to a 
cause or to slow our response 
to an act of physical terror. 
Threats also come from espi¬ 
onage agents seeking to ac¬ 
quire sensitive but unclassified 
information for use by a foreign 
state or criminal organization. 
We may soon face nation state 
adversaries in cyberspace who 
seek military advantage, possi¬ 
bly by attacking our combat 
support infrastructure or, in 
perhaps the most insidious at¬ 
tack, by attempting to manipu¬ 
late the perceptions of senior 
DoD decision makers. 

Although the computer net¬ 
work defense intelligence prob¬ 
lem is complex and relatively 
new, developing JTF-CND in¬ 
telligence tactics, techniques, 
and procedures (TTP) has been 
simple and straightforward. We 
have based most of our TTPs 
on the existing playbook for 
JTF intelligence support, the 
Joint Staffs Joint Doctrine for 
Intelligence Support to Opera¬ 
tions (Joint Pub 2-0). Using in¬ 
telligence doctrine as the 
bedrock for JTF-CND intelli¬ 
gence TTPs have already paid 
off. Following doctrine has in¬ 
creased the intelligence com¬ 
munity focus on and support of 
the CND mission. 

continued on page 8 
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continuixl from page 1 

Joint Pub 2-0 also directly as¬ 
sisted in planning for the U.S. 
Space Command (SPACECOM) 
assumption of the DoD CND 
mission, which occurred 1 Oc¬ 
tober 1999. Intelligence staffs at 
and JTF-CND quickly realized 
the importance of adhering to 
joint doctrine wherever possi¬ 
ble. Using joint doctrine al¬ 
lowed us to clarify important 
aspects of the new relationship, 
including the most efficient 
means of handling intelligence 
collection and production re¬ 
quirements and appropriate di¬ 
vision of labor between CINC 
and JTF intelligence personnel. 

The central principle; 
Know the adversary. Perhaps 
Joint Pub 2-0’s most critical 
contribution is a clear articula¬ 
tion of the general functions 
that must be conducted by a 
JTF J2. It also provides guid¬ 
ance on how these functions 
should be carried out. The fol¬ 
lowing points show JTF-CND J2 
application of these principles. 

The fundamental responsi¬ 
bility of the JTF-CND J2 is to 
provide JTF-CND decision 
makers with the fullest possi¬ 
ble understanding of the cyber 
threat. This understanding 
must include knowledge of the 
adversary’s goals, objectives, 
strategy, intentions, capabili¬ 
ties, methods of operation, vul¬ 
nerabilities, and sense of value 
and loss. To provide this under¬ 
standing, the JTF-CND J2 and 
intelligence staff must develop 
and continuously refine an 
ability to think like the cyber 
threat. 

Intelligence support is 
critical to operational suc¬ 
cess. JTF J2 staff must under¬ 


stand the adversary in order to 
support operations. Intelli¬ 
gence must be made action¬ 
able by tailoring it into a useful 
form and then getting it into 
the hands of the commander, 
the operations division (J3), 
and other JTF decision mak¬ 
ers. Operations support also re¬ 
quires J2 assessment of J3 in¬ 
tentions from the adversary’s 
perspective to determine prob¬ 
able adversary responses. 

Intelligence support re¬ 
quires the integration of in¬ 
telligence efforts at strate¬ 
gic, operational, and tactical 
levels. Strategic intelligence is 
used to formulate defensive 
strategies and operations at na¬ 
tional and theater levels, mak¬ 
ing both SPACECOM and JTF- 
CND key consumers of 
intelligence produced on the 
cyber threat to our Nation. Op¬ 
erational intelligence is used 
by SPACECOM and JTF-CND to 
determine defensive objectives 
and to support the planning 
and conduct of CND opera¬ 
tions. Tactical intelligence re¬ 
quired for CND is a new disci¬ 
pline that is still in an initial 
stage. When fully developed, 
tactical intelligence procedures 
and processes will support 
rapid reaction to tactical 
threats by JTF-CND compo¬ 
nents. 

Strategic, operational, and 
tactical intelligence must be 
employed in a way that re¬ 
duces our chances of being 
deceived or surprised. De¬ 
ception and surprise are inher¬ 
ent factors in cyberspace, how¬ 
ever, and will probably always 
be concerns. 

Intelligence sources are 
the means or systems used 


to observe, sense and 
record, or convey informa¬ 
tion. JTF-CND J2 staff must 
understand the strengths and 
weaknesses of all intelligence 
sources relevant to this mis¬ 
sion area. The seven primary 
intelligence sources are im¬ 
agery intelligence, human in¬ 
telligence, signals intelligence, 
measurement and signature in¬ 
telligence, open source intelli¬ 
gence, technical intelligence, 
and counterintelligence. Unity 
of effort is maintained by task¬ 
ing these disciplines in accor¬ 
dance with joint doctrine. All 
results are fused to provide the 
best possible assessments. In¬ 
tegration also helps reduce de¬ 
ception and surprise. 

Intelligence supports all 
aspects of JTF-CND opera¬ 
tions. JTF-CND J2 will partici¬ 
pate in planning from the out¬ 
set of any operation. Early 
involvement in JTF-CND plan¬ 
ning will allow the J2 to articu¬ 
late intelligence collection and 
production requirements to the 
intelligence community and to 
formulate, at an early stage, in¬ 
telligence guidance for JTF- 
CND components. It will also 
allow the J2 to provide intelli¬ 
gence at every stage of the de¬ 
cision-making process. 

Providing understanding 
of the enemy to support 
counterintelligence and op¬ 
erational security measures. 
Concurrent with JTF-CND 
planning and operating 
process, the J2 will provide the 
commander with an under¬ 
standing of the adversary’s 
command and control process¬ 
es and adversary intelligence 
collection capabilities, so ap¬ 
propriate operational security 
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and counterintelligence opera¬ 
tions can be implemented. 

Evaluating the effects of 
defensive operations. The 
JTF-CND J2 will assist the JTF 
commander and J3 in evaluat¬ 
ing operational results and de¬ 
termining when objectives 
have been attained, so forces 
may be reoriented or opera¬ 
tions terminated. Some defen¬ 
sive measures that may have to 
be taken on DoD networks to 
thwart a sophisticated adver¬ 
sary could affect millions of 
DoD computer users, making 
intelligence support for exit 
strategies of paramount impor¬ 
tance. 

Intelligence systems will 
be interoperable, usable, 
scalable, reliable, and user- 
friendly. Joint Pub 2-0 pro¬ 
vides overarching guidance on 
establishment of a joint intelli¬ 
gence architecture for support 
to a JTF. Much of this architec¬ 
ture already exists in the mili¬ 
tary intelligence community 
infrastructure. CND intelli¬ 
gence architecture is based on 
the Joint Worldwide Intelli¬ 
gence Communications System 
(JWICS) and the Joint Deploy¬ 
able Intelligence Support Sys¬ 
tem (JDISS). By tailoring 
JWICS and JDISS to the JTF- 
CND mission, JTF-CND joins a 
network linking the entire in¬ 
telligence community. 

New threat databases are 
being established to support 
this mission, and many new in¬ 
telligence fusion, collaboration, 
and visualization tools are 
being developed to support 
CND intelligence analysts. As 
they are developed, strict ad¬ 
herence to joint doctrine and 
joint standards (where they 
exist) will help ensure interop¬ 
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erability and proper mission 
focus. 

Intelligence TTPs must be 
understood by all players. A 
key reason for having joint doc¬ 
trine is to know how the rest of 
the team will play. Intelligence 
TTPs spell these plays out in 
detail, describing agreed-upon 
ways that organizations inter¬ 
act. For example, JTF-CND 
components will follow joint 
doctrine in stating intelligence 
collection and production re¬ 



quirements to JTF-CND for fur¬ 
ther validation, prioritization, 
and tasking. When operations 
require, JTF-CND will issue 
statements of intelligence in¬ 
tentions to components, clari¬ 
fying additional support proce¬ 
dures tailored to the particular 
mission. Component comman¬ 
ders will also provide feedback 
to the JTF on Service-related is¬ 
sues affecting the joint com¬ 
mand, and will plan and devel¬ 
op implementing instructions 
for wartime intelligence sup¬ 
port, including augmentation 
of joint forces. 

Many aspects of this new 
mission area have yet to be cov¬ 
ered by joint doctrine. That is 
to be expected in any modern 
military operation. But by start¬ 
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ing with a foundation in joint 
doctrine, areas that have yet to 
be resolved are being discov¬ 
ered quickly and dialog is al¬ 
ready underway to address 
them. 

A Final Note 
Operational units in the field 
or fleet who have a need for in¬ 
telligence on cyberthreats can 
also rely on joint doctrine for 
intelligence. It is the basis for 
J2 procedures in every CINC 
area of responsibility, and is 
worth a good read by all uni¬ 
formed professionals, A 


Commander Gourley is the Director 
of Intelligence, Joint Task Force- 
Computer Network Defense (J2, JTF- 
CND). He received a B.S. in Chemistry 
from Middle Tennessee State University 
in 1981, an M.S. in National Security 
Affairs fmm the Naval Postgraduate 
School in 1985, and an M.S. in Military 
Science from the Marine Corps 
University in 1996. He may be reached 
atgourleyr (^jtfcnd.ia.mil. 

Endnotes 

Gibson. William. Neuromancer, 
Berkley Publishing Group, New 
York. NY, July 1984. 

Joint Pub 2-0 Joint Doctrine for 
Intelligence Support to Operations, 
Pentagon, Washington, D.C., 5 May, 
1995. 

Joint Pub 2-0, III-4. 

Joint Pub 2-0, vii. 

Joint Pub 2-0, xi. 

Joint Pub 2-0, x. 


• Volume 3, Number 3 9 







MAJ Gerald Burton, USA I 
Mr. Richard Phares | 

/ , n 13 and 14 October 

1999, lATAC conducted 
an exercise on information op¬ 
erations (10) for computer net¬ 
work defense (CND) for the 
Joint Task Force for CND (JTF- 
CND). This tabletop exercise, 
Zenith Star 99-1, was designed 
to look both at a CND scenario 
similar to that used for Eligible 
Receiver 97-1, and at the inter¬ 
agency working-level coordina¬ 
tion necessary to react to such 
a scenario. Zenith Star 99-1 also 
exercised the JTF-CND Tactics, 
Techniques, and Procedures 
(TTPs) and assessed progress 
made since the JTF-CND stand- 
up in December 1998. Al¬ 
though the exercise used the El¬ 
igible Receiver 97-1 scenario as 
a base, it did not replay that ex¬ 
ercise completely. Instead, it 
focused primarily on CND-re- 
lated events to determine how 
new DoD organizations and 
processes built since Eligible 
Receiver 97-1 affect the CND 
community’s response to a sim¬ 
ilar crisis. 

More than 55 participants at¬ 
tended the exercise, including 
players from U.S. Space Corh- 
mand (SPACECOM), the Na¬ 
tional Infrastructure Protection 
Center (NIPC), the National Se¬ 
curity Agency (NSA); the De¬ 
fense Intelligence Agency 
(DIA), the Central Intelligence 
Agency (CIA), the Assistant 
Secretary of Defense for Com¬ 
mand, Control, Communica¬ 


tions, and Intelligence (ASD 
C3I), the Joint Staff, and JTF- 
CND and its component com¬ 
mands. Several observers from 
U.S. Pacific Command 
(PACOM), U.S. Special Opera¬ 
tions Command (SOCOM), U.S. 
Joint Forces Command 
(JFCOM), the National Com¬ 
munications System (NCS), 
and others also attended. Facil¬ 
itators included personnel from 
both lATAC and JTF-CND. 

Zenith Star 99-15 goal was to 
foster understanding of the 
process and products required 
in interagency coordination 
and the resulting impacts on 
the CND community’s ability to 
perform its mission. The exer¬ 
cise achieved this goal by help¬ 
ing participants accomplish 
four specific objectives: 

• Understanding the roles of 
new CND organizations in 
responding to a contingency 
similar to Eligible Receiver 
97-1 in scope and complexity 

• Understanding interagency 
coordination requirements 

• Examining processes and 
procedures for JTF-CND 
coordination with other sup¬ 
porting agencies (e.g., NIPC, 
Intel) 

• Understanding needs for 
improvement highlighted by 
several communities—intelli¬ 
gence, law enforcement and 
counterintelligence, and 
operations. 

The exercise structure in¬ 
cluded information briefings 
and “hot washes.” Zenith Star 


99-1 emphasized team play, so 
information briefings were 
kept to the bare minimum re¬ 
quired. The exercise clock 
began while participants re¬ 
ceived their “situation brief¬ 
ing”—exercise time and real 
time were one and the same. 
Participants were divided into 
functional teams as follows: 

• Operations team (SPACE¬ 
COM, JTF-CND and its com¬ 
ponents) 

• Intelligence team 
(CIA, DIA, NSA) 

• Law enforcement/counterin¬ 
telligence team (Defense 
Criminal Investigative Or¬ 
ganizations, NIPC) 

• Other team (Joint Staff, 
Office of the Secretary of 
Defense [OSD]) 

Participants within teams 
were allowed to communicate 
freely with each other. Commu¬ 
nications among teams, howev¬ 
er, were strictly regulated. Par¬ 
ticipants used either real 
communications (the secure 
telephone units, third genera¬ 
tion [STU-III] available in each 
team room or face-to-face meet¬ 
ings arranged through the facil¬ 
itators) or simulated communi¬ 
cations (fax and E-mail). 
Additionally, the Control Cell 
brought participants together 
in a forum that allowed them to 
share information, and work to¬ 
gether on their responses. 

Team play was driven by 
“Red Force” actions: teams re¬ 
ceived injects describing specif- 
continued on ptjge 14 
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Distributed Denial 
of Service Tools 


I t was a dark and stormy 
night...With nothing else to 
do, you search for “places that 
don’t rain’’ using your favorite 
Web search engine only to get 
an ominous “Error 404.” It is 
quite possible that the search 
engine’s Web site is under at¬ 
tack from hundreds of systems 
at once, just as Yahoo’s page 
was in mid-February for 3-i- 
hours. Could such a coordinat¬ 
ed attack occur in reality? Un¬ 
fortunately, a single individual 
could, with relative ease and 
little chance of repercussion, 
stage such an attack using a 
new breed of tools referred to 
as Distributed Denial of Service 
(DDoS) tools. 

Reality # 1 

The number of poorly con¬ 
figured systems connected to 
the Internet is rapidly increas¬ 
ing. This is partially the result 
of well-connected university 
dormitories and high-speed 
connections to the home, 
(cable-modems and DSL con¬ 
nections). 

Reality #2 

Based on the observed rate 
of network-wide probes and 
publicly available hacker tools, 
intruders are more interested 
in the number of compromised 
hosts rather than specific tar¬ 
gets. 

The reality is that, using 
publicly available tools, a deter¬ 
mined intruder can compro¬ 
mise lOO-h systems Internet¬ 
wide in a matter of days. Sadly, 
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the number of vulnerable sys¬ 
tems riding the Internet has 
outpaced a typical intruder’s 
ability to do something useful 
with the compromised sys¬ 
tems. Distributed intruder tools 
have matured in this environ¬ 
ment and now enable an in¬ 
truder to use a large number of 
compromised systems in a co¬ 
ordinated and collective man¬ 
ner. The first widely used ex¬ 
ample of distributed intruder 
tools is denial of service tools, 
though others are expected to 
follow shortly. With the current 
generation of tools and little ef¬ 
fort, an intruder can flood a tar¬ 
get with a massive amount of 
traffic from hosts around the 
world. These DDoS tools are 
called names such as TrinOO, 
Tribe Flood Network (TFN) and 
Stacheldraht and are available 
on UNIX and Windows sys¬ 
tems. It is believed that vari¬ 
ants of these tools were used to 
successfully launch large-scale 
attacks against such popular 
Web sites such as Yahoo, E-bay, 
CNN and others. Many of the 
victims have been very well 
connected sites with over a gi¬ 
gabit per second of sustained 
bandwidth. 

The current generation of 
DDOS tools requires an intrud¬ 
er to install a “daemon” on each 
of the compromised systems. 
At least one “master" system 
keeps track of the daemon sys¬ 
tems and directs the attack. 
When prompted by an intruder 
the master contacts each of the 
daemons and specifies the tar- 
coiitiiiued on page 12 
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detection signatures if they 
have not already done so. 
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Figure 1. Example DDoS network 

continued from page 11 

get and method of attack. From 
the victim’s perspective, they 
appear to be under attack from 
hundreds of systems from 
around the world all at once. 

There are two primary com¬ 
puter network defense goals 
with relation to the recent dis¬ 
tributed attacks: 

Don't be a partici¬ 
pant in an attack. 

The Internet community is 
already struggling with the 
scale of these attacks. Vulnera¬ 
ble DoD systems can be unwit¬ 
ting participants in a DDoS net¬ 
work serving only to increase 
the scale and complexity. 

The current set of DDoS 
tools are installed after a sys¬ 
tem is compromised by an in¬ 
truder and does not exploit any 
specific vulnerability. Based on 
past incidents, most DoD com¬ 
promises are the direct result of 
unpatched vulnerabilities that 
DoD’s Information Assurance 
Vulnerability Alert (lAVA) 
•Process has documented 
(http:// WWW. cert, mil/iava). 
Sites are encouraged to routine¬ 
ly check their systems for lAVA 


compliance. Sites are also ad¬ 
vised to do the following: 

• Periodically run DDoS 
scanning tools. Sites are 
encouraged to use either 
vendor or government devel¬ 
oped tools to detect known 
instances of DDoS tools. 

—The National Infrastruc¬ 
ture Protection Center 
(NIPC) has produced a 
host based scanning tool 
to detect known DDoS 
tools. The tool only runs 
on Solaris and Linux at 
the time of this article. 
The tool is available on 
the DoD-CERT’s home- 
page (http://www.cert. 
mil/resources/security_to 
ols.htm). 

—The current DoD con¬ 
tracted antivirus vendors, 
Symantec and McAfee, 
have developed signatures 
to detect the Windows’ 
variants of the DDoS tools. 

* Sites are encouraged to 
pressure their vendors 

(antivirus, intrusion detec¬ 
tion, etc) to update their 
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* Enable anti-spoofing rules 
at enclave perimeter. Sites 
should configure their 
perimeter firewall and router 
to only allow out traffic with 
valid source IP addresses. 
Many of the tools spoof their 
source IP address to make 
the attack look like it is origi¬ 
nating from somewhere else. 

• Disable directed broadcast at 
enclave perimeter. Sites 
should configure their router 
and firewall to disallow net¬ 
work traffic destined for their 
broadcast address. 



Don't be a victim 
of a DDoS attack. 


While it has not happened to 
date, it is possible that DoD sys¬ 
tems will (or could) be targeted 
in the future by such attacks. 

From a potential victim’s 
perspective, the best advice is 
to be prepared to be a victim. 
The current denial of service 
attacks only rely on a site’s abil¬ 
ity to receive network traffic 
through a finite network con¬ 
nection. These attacks take ad¬ 
vantage of the large number of 
vulnerable systems connected 
to the Internet, so there is no 
simple “fix” for these attacks. 
Once a site has been targeted, 
there are a number of things 
that can be done to restore ser¬ 
vice in a timely manner. Sys¬ 
tems owners are advised to be 
prepared in the following man¬ 
ner: 


• Identify mission-essential 
^sterns that must be avail¬ 
able to users from the 
Internet. If a denial of ser- 


continuecl on page .34 
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Air Force Materiel Command's 

Information Defense 

Cyberterrorism, Internet attacks, malicious intrusions, 
and hacker activity are on the rise. Credit card data for 
thousands of people is offered for sale over the net. 


ir Force systems and net¬ 
works are targets. Pro¬ 
tection of our systems and data 
is the new challenge, and Air 
Force Materiel Command 
(AFMC) is structuring itself to 
meet that challenge with a ded¬ 
icated effort addressing all as¬ 
pects of information assurance 
(lA). 

Efforts to attack, sabotage, 
and corrupt government and in¬ 
dustrial systems and data, 
sometimes in “sport” and some¬ 
times as a conspiracy, have be¬ 
come a widespread problem 
plaguing everyone from the 
smallest businesses to the 
biggest government organiza¬ 
tions. Network defenses and 
vigilance have been the two 
most common responses, but 
waiting for the next hacker is an 
insufficient approach to net¬ 
work protection. In AFMC we 
have taken a proactive approach 
to protecting our systems. 

In an aggressive effort begin¬ 
ning in late 1998, AFMC devel¬ 
oped and deployed a team of 
network security and opera¬ 
tional experts under the banner 
of Operation Palisade. The 
team’s continuing mission is to 
seek out network security 
weaknesses before they can be 
exploited and to remove them 
through the implementation of 
security network practices and 
technologies. The effort is fo¬ 
cused on the single goal of pro¬ 
tecting the mission-critical in¬ 
formation contained on AFMC 
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networks throughout the Unit¬ 
ed States and the world. The 
challenge is particularly daunt¬ 
ing because AFMC’s relation¬ 
ships with various research 
centers and contractors mean 
that our networks have a larg- 
er-than-expected number of po¬ 
tentially open components. 

The primary foundation on 
which Operation Palisade 
builds is the full application of 
the Air Force’s Barrier Reef 
process. This proven methodol¬ 
ogy is designed to create 
boundary protection for all 
AFMC base intranet networks, 
protect those networks at their 
entry points to the Internet, 
provide specific network secu¬ 
rity training to base network 
managers, and increase AFMC 
network monitoring and audit¬ 
ing as soon as security weak¬ 
nesses are identified. We feel 
that our Operation Palisade ef¬ 
forts, combined with the man¬ 
dated actions laid out in applic¬ 
able Air Force regulations and 
instructions, have positioned 
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us not only to respond to prob¬ 
lems, but to prepare our subor¬ 
dinate bases and organizations 
to position themselves proac¬ 
tively for the threats that surely 
lie just around the corner. 

Are we where we want to be 
or need to be in our defensive 
posture? The answer is clearly 
“no.” We need to move beyond 
Barrier Reef and Operation Pal¬ 
isade. We need to address all 
the capabilities of the Air 
Force’s Defensive Counter-in- 
formation (DCI) Operations 
program, including not only in¬ 
formation assurance, but also 
operations security, electronic 
protection, counterintelligence, 
and other capabilities, as 
spelled out in Air Force Policy 
Directive 10-20. In the process 
of moving forward, AFMC has 
put the lA lead in charge of the 
overall command DCI program 
and given me the responsibility 
to coordinate all of the efforts 
in the realm of Defensive Infor¬ 
mation Operations. 

By consolidating lA and DCI 
Operations leadership, we have 
put ourselves on a path for con¬ 
tinuous improvement—and 
created a self-initiated chal¬ 
lenge to succeed. There is 
much to do. AFMC is a target- 
rich environment for both the 

continued on page 14 
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recreational hacker and the in¬ 
dustrial spy. On ^ the offi^r 
hand; pur challenges are no 
different from those faced by 
industry, other Air Force Major 
Commands (MAJCOM), or our 
sister services. 

We are proud to be part of 
the large team, working hard 
with the other MAJCOMs, the 
Services and in industry to stay 
one step ahead of the next inci¬ 
dent. We feel we have a posi¬ 
tive story to tell, but recognize 
that others do also. For every 
good idea we have, we seek 
multiple opportunities to gath¬ 
er the best practices of others 
and to explore, in the field or in 
the lab environment, the best 
use of current capabilities and 
information on products under 
development. A 


Colonel Kirscb is the Chief, Mission 
Support, Network Operations & Security 
Division, HQ Air Force Material 
Command, Wright-Patterson AFB, OK 
He was commissioned as a 2nd 
Lieutenant following completion of the 
ROTC program and graduation from 
Duquesne University in Pittsburgh PA, 
He has held a variety of base level and 
tactical positions to include four com¬ 
mand positions, ranging from a detach¬ 
ment in Iceland to Installation 
Commander of RAF Croughton, 
England. In his current position he is 
responsible for assessment of the opera¬ 
tional effectiveness and efficiency of 
information, security, applications and 
systems for customers throughout Air 
Force Materiel Command, and is the 
overall lead for the command Defensive 
Counter Information program. 
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ic events from the facilitators at 
predetermined times. The par¬ 
ticipants were expected to eval¬ 
uate the events in real time and 
formulate a response. While 
this sounds relatively simple, 
the intent of Zenith Star 99-1 
was to examine interagency co¬ 
ordination—thus the teams had 
to present a coordinated re¬ 
sponse to the Control Cell for a 
specific event. If the partici¬ 
pants recommended an appro¬ 
priate action within a reason¬ 
able amount of time, long 
duration events would be 
stopped prematurely by the 
Control Cell. Otherwise, events 
continued until terminated as 
determined by the scenario. 

Coordination between teams 
was conducted using the com¬ 
munications available to the 
participants. All coordination 
activities, such as phone calls, 
simulated E-mails, and faxes 
were recorded on templates 
provided to the participants. 
Facilitators were also present at 
any face-to-face meetings. 
Using the exercise scenario as 
ground truth, facilitators were 
therefore able to assess situa¬ 
tional awareness within and 
across teams, and determine 
the overall state of the exercise 
at the end of each day. These 
assessments helped facilitators 
identify lessons learned and is¬ 
sues for future consideration. 

Participants generally found 
the exercise to be beneficial. 
Zenith Star 99-1 showed that 
the CND community is making 
significant progress toward de¬ 
veloping an effective CND 
process. Specifically, the on¬ 


going efforts to increase CND 
coordination between opera¬ 
tors, intelligence, and law en¬ 
forcement are paying divi¬ 
dends. Continued planning 
initiatives and exercises will 
help to refine processes fur¬ 
ther, and prove valuable to the 
CND community as a whole. 
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The Zenith Star 99-1 After Ac¬ 
tion Report (AAR) is available 
on the JTF-CND SIPRNET Web 
site. Questions and comments 
are welcomed and encouraged. 

A 


Major Gerald Burton, USA, is a 
Defensive 10 Planner in the JTF-CND 
J5/7 Section. He is an Information 
Operations Functional Area Officer, and 
holds an M.S. from Central Michigan 
University. He may be reached at 
burtong@JtfcndJa. mil. 

Mr. Richard Phares is a member of 
the lATAC, and designs, develops, and 
executes Information Operations 
wargames for various clients. He holds 
an M.S. from the Naval Postgraduate 
School, Monterey, CA.He may be 
reached at iatac@dtic.mil. 
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The Army Prepares for the 
Next Generation of Warfare 



A s the Army prepares to 
digitize the force, a new 
threat is developing—one that 
is unlike any the Army has 
seen before. Rather than spend¬ 
ing billions of dollars on ma¬ 
teriel, our enemies are now in¬ 
vesting in information warfare 
(IW). Future conflicts are ex¬ 
pected to be asymmetric, 
which means that IW forces 
will inflict substantial damage 
on large, computer-dependent 
adversaries. 

In the Washington Times, the 
Chinese People’s Liberation 
Army (PLA) publicly an¬ 
nounced its plans to conduct In¬ 
ternet warfare against the Unit¬ 
ed States. The PLA is gearing up 
for wartime computer attacks 
on networks and the Internet 
that will affect everything from 
banking to our military’s com¬ 
munications structure. 

In the past year, attempts to 
gain unauthorized access to the 
Army’s networks have greatly 
increased—from the Melissa 
virus to computer attacks 
against the Pentagon by an Is¬ 
raeli hacker and two teenagers 
from California. The Army is 
now placing as much attention 
on protecting communications 
networks as it spent in prepar¬ 
ing for the rollover to the year 
2000 (Y2K). The U.S. Army Sig¬ 
nal Center, Fort Gordon, Geor¬ 
gia, has responsibility for the 
combat developments of tacti¬ 
cal, strategic, and sustaining 
base communications systems 
and the security systems that 
protect them. The Signal Cen¬ 
ter represents the warfighter in 


the development of informa¬ 
tion assurance (lA) tactics, 
techniques, and procedures to 
protect our tactical networks 
from our enemies. 

During a recent lA Industry 
Day Conference, Lieutenant 
General David Kelley, Director, 
Defense Information Systems 
Agency (DISA), stated that an 
“Information Pearl Harbor” is 
imminent. It is not a matter of 
whether such an attempt will 
be made, but when. The Signal 
Center is taking this new threat 
into consideration as the Army 
migrates to the Warfighter In¬ 
formation Network-Tactical 
(WIN-T), which will replace 
the Tri-Services Tactical Com¬ 
munications (TRI-TAC) and 
the Mobile Subscriber Equip¬ 
ment (MSE) switch systems. 

WIN-T is the Army’s Force 
XXI command, control, com¬ 
munications, computers, intel¬ 
ligence, surveillance, and re¬ 
connaissance (C4ISR) tactical 
communications network, and 
it will integrate joint, multina¬ 
tional, commercial, and battle¬ 
field networks into an intranet 
that provides mobile, secure, 
survivable, and multimedia 
seamless connectivity between 
all elements within the battle- 
space from theater to battalion 
level. WIN-T’s backbone will 
support multiple security lev¬ 
els (MSL)-TOP SECRET/Spe- 
cial Compartmented Informa¬ 
tion (TS/SCI), SECRET, and 
Sensitive but Unclassified 
(SBU)—and various modes of 
information, including voice, 
data, video, and imagery. 


I MAJ Robert Turk, USA 
I CPT Shawn Hollingsworth, USA 

Network-based monitoring 
technology within the Defense 
Information Infrastructure 
(DII) is being mandated on a 
large scale across the DoD. 
WIN-T will include lA security 
features throughout the net¬ 
work that will employ the 
DoD’s defense-in-depth strate¬ 
gy to protect, detect, and re¬ 
spond to attacks on the mili¬ 
tary’s information systems. lA 
offers authentication (verifica¬ 
tion of the originator), nonre¬ 
pudiation (incontestable proof 
of participation), availability 
(unimpeded access to autho¬ 
rized users), confidentiality 
(protection from unauthorized 
disclosure), and integrity (pro¬ 
tection from information dam¬ 
age). 

The layering of lA technolo¬ 
gy solutions is the fundamental 
principle of the defense-in¬ 
depth strategy, which includes 
three key areas of protection: 
external perimeter, internal 
network, and local computer 
hosts. 

Protected electronic perime¬ 
ters are needed for local en¬ 
claves because many end-user 
systems have little built-in pro¬ 
tection against external access. 
These systems are difficult to 
administer well enough to pro¬ 
vide an effective defense. Pro¬ 
tected perimeters are like cas¬ 
tle walls and gates, which 
enable professional administra- 
continiied on page 16 
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tors to control flow in and out. 
They also enable traffic 
through the gate to enter and 
leave at various levels during 
changing information condi¬ 
tions and allow specific ser¬ 
vices to be deactivated if they 
come under successful attack. 

The external perimeter safe¬ 
guards include firewalls, intru¬ 
sion detection, inline encryp- 
tors, and where necessary, 
physical isolation. Internal net¬ 
work protection consists of a 
combination of security guards. 


firewalls, and/or router filter¬ 
ing devices to serve as barriers 
between echelons and/or func¬ 
tional communities. Host- 
based monitoring technologies 
can detect and eradicate mali¬ 
cious software (e.g., virus): de¬ 
tect software changes; check 
configuration changes; and 
generate an audit, audit reduc¬ 
tion, and audit report. 

The defense-in-depth strate¬ 
gy will provide a robust and re¬ 
silient infrastructure designed 
to limit, contain, and repair 
damage that results from at¬ 
tacks. Fundamental criteria of 


the defense-in-depth strategy is 
that no single attack can lead to 
the failure of a critical function 
and that no critical function or 
system is protected by a single 
protection mechanism. This 
strategy is a key element in the 
successful implementation of 
lA in the WIN-T network. 

The illustration below de¬ 
picts the WIN-T’s conceptual 
security architecture, which 
follows the layered protection 
strategy. Each layer will consist 
of a different configuration of 
lA tools designed to prevent a 
would-be intruder from gaining 
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access to all systems by defeat¬ 
ing one layer. 

External Layer 
The strongest layer of pro¬ 
tection in the network, is the 
first line of defense in the de- 
fense-in-depth architecture. 
The primary focus of the 
perimeter is protecting the in¬ 
side from the outside, but en¬ 
clave boundaries also provide 
some protection against mali¬ 
cious insiders (e.g., those who 
use the enclave to launch at¬ 
tacks). Protection measures in¬ 
clude firewalls, filtering 
routers, replication servers, 
strong authentication, authen¬ 
tication servers, Internet Proto¬ 
col (IP) security/virtual private 
networks (VPN), and measures 
to defend against back doors 
that circumvent firewalls, such 
as internal use of cellular 
phones or modems (e.g., send¬ 
ing data through voice public 
branch exchanges). The exter¬ 
nal layer and its suite of lA 
equipment will interface with 
external connections, such as 
the Secret IP Router Network 
(SIPRNET), SBU IP Router Net¬ 
work (NIPRNET), and Joint 
Worldwide Intelligence Com¬ 
munications System (JWICS). 

Network Layer 
This layer focuses on net¬ 
work-based monitoring (intru¬ 
sion detection), thereby provid¬ 
ing the capability to identify 
attacks and suspicious network 
activity. It captures and for¬ 
wards event data to a prede¬ 
fined lA cell or the Regional 
Computer Response Team 
(RCERT). 

User Level 
Command and control (C2) 
protect tools will be employed 
on the individual host worksta¬ 
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tions. Host-based monitoring 
will reside on servers and end- 
user systems and will detect at¬ 
tacks against individual hosts. 
The detect capability of this 
type of monitoring is more 
fine-grained than network- 
based monitoring and can be 
the best line of defense in de¬ 
tecting malicious insiders. 
Local host protection software 
consists of Transmission Con¬ 
trol Protocol (TCP) Wrappers 
for individual access control, a 
security profile inspector (SPI), 
a Simple Watch (SWATCH) for 
alerting when audit anomalies 
occur in the profile, and 
McAfee virus protection. This 
C2 package is the last line of de¬ 
fense against unauthorized use 
and entry. 

Voice subscribers will be able 
to place and receive secure 
telephone calls to subscribers 
located on switched networks 
that incorporate National Secu¬ 
rity Agency (NSA) Type I-ap- 
proved devices. WIN-T will pro¬ 
vide selected users with a 
handheld device that will con¬ 
nect via terrestrial and avail¬ 
able satellite means to the WIN- 
T infrastructure, and via 
airborne platforms to commu¬ 
nicate within the area of opera¬ 
tions, both in and around com¬ 
mand posts/tactical operations 
centers (TOC). It will have a se¬ 
cure (NSA-approved) capability 
that provides voice, data, and 
video communications. 

Another form of lA that will 
be available to the user is the 
Public Key Infrastructure 
(PKI). PKI refers to the frame¬ 
work and services that provide 
for the generation, production, 
distribution, control, and ac¬ 
counting of public key certifi¬ 
cates. It provides critical sup¬ 
port to security applications 
providing confidentiality, au¬ 
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thentication of network trans¬ 
actions, data integrity, and non¬ 
repudiation. 

WIN-T is not designed to 
counter a specific threat. How¬ 
ever, certain security lA com¬ 
ponents are designed to protect 
WIN-T from the IW threat. As 
part of this strategy, lA protects 
the Army’s C2 information net¬ 
work from attempts to pene¬ 
trate the network to obtain, dis¬ 
rupt, or manipulate the 
resident information. It allows 
simultaneous access and pro¬ 
cessing protection for users at 
different security levels. 

lA and the security features 
within the WIN-T network will 
continue to change after the 
network is fielded in 2005. 
Even as technology evolves and 
the threat changes, the Army 
must continue to protect its 
vital communications net¬ 
works. A 
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Containing Contagion in Cyberspace 


COL John C. Deal, USA I 
MAJ Gerrie A. Gage, USA I 
Ms. Robin Schueneman | 

recent “denial of ser- 
m vice” attacks against 
America Online, Yahoo, and 
other ISP and Content 
Providers suggests that comput¬ 
er networks are vulnerable to 
widespread attack from a vari¬ 
ety of adversaries. Complicat¬ 
ing these issues are the global 
nature of such activities and the 
disparate nature of the kinds of 
attacks these services have to 
guard against. 

Critical to this discussion is 
the fact that the dispersal of the 
tookkits available to hackers 
makes it all but certain that 
sniffing out, tracking down, and 
eliminating these threats will 
occupy the best network minds 
for some time to come. 

As webmasters, systems ad¬ 
ministrators, and network secu¬ 
rity managers rethink the prob¬ 
lem, they will, out of necessity, 
focus a large part of their effort 
on mitigating virus attacks—in 
all their forms. 

The similarity between com¬ 
puter network systems and bio¬ 
logical systems is uncanny. 
This comparison is common 
both within Information Tech¬ 
nology publications and among 
users of computer network sys¬ 
tems. Addressing computer net¬ 
works as living systems from 
the standpoint of health makes 


one recognize the plethora of 
vulnerabilities that exist. One of 
the greatest threats to the 
health of an organization’s com¬ 
puter networks is computer 
viral infections or contagion. 
Containing these contagion and 
eradicating them before the 
health of a network is degraded 
requires understanding and 
real-time vigilance on the part 
of users, network administra¬ 
tors and software developers. 

The Pathology of 
Computer Viruses 
A computer virus is a pro¬ 
gram, or software code, de¬ 
signed to replicate and spread, 
generally with the victim being 
oblivious to its existence. The 
mere mention of “computer 
virus" sends computer novices 
and experts scrambling to 
download the latest update of 
Norton, McAfee, or IBM anti¬ 
virus software. Their reaction is 
justified. Every large corpora¬ 
tion and organization has expe¬ 
rienced a virus infection—most 
experience them monthly. Ac¬ 
cording to data from IBM’s High 
Integrity Computing Laborato¬ 
ry, corporations with 1,000 or 
more personal computers (PC) 
now experience a virus attack 
every 2 to 3 months—and that 
frequency will likely double in 
a year.' The number of virus at¬ 
tacks may seem unusually high 
if it is viewed independently. 
However, when Symantec Cor¬ 
poration (a supplier of DoD an¬ 


tiviral software) defines and cat¬ 
egorizes 21,389 known viruses 
and McAfee (the other supplier 
of antiviral software to DoD) 
categorizes more than 40,000 
viruses—the number of virus 
attacks is put in a new light. 
These viruses, usually benign 
or annoying, can slow perfor¬ 
mance, absorb resources, 
change screen displays and in 
the end, disrupt or deny service 
to such an extent that it affects 
organizations’ bottom line- 
profit or mission accomplish¬ 
ment. 

Computer viruses come from 
a variety of sources and spread 
by attaching themselves to 
other programs (e.g., word 
processors or spreadsheet appli¬ 
cations) or to the boot sector of 
a disk. When the infected file is 
activated or executed, or when 
the computer is started from an 
infected disk, the virus itself is 
also executed. Viruses can also 
lurk in computer memory, 
waiting to infect the next pro¬ 
gram that is activated, or the 
next disk that is accessed. 

Dataquest’s 1991 study of 
major U.S. and Canadian com¬ 
puter users for the National 
Computer Security Association 
found that most users blame in¬ 
fected diskettes (87 percent) as 
the source of a virus. Forty- 
three percent of the diskettes 
responsible for introducing a 
virus into a corporate comput¬ 
ing environment were brought 
from home. Nearly three-quar- 


1 8 


lAnewsletter • Volume 3, Number 3 


http://iac.dtic. mi i/I AT AC 




ters (71 percent) of infections 
occurred in a networked envi¬ 
ronment, making rapid spread 
a serious risk. Seven percent of 
computer users said they had 
acquired their virus while 
downloading software from an 
electronic bulletin board ser¬ 
vice or Web site. Other sources 
of infected diskettes included 
demo disks, diagnostic disks 
used by service technicians, 
and shrink-wrapped software 
disks: these other sources con¬ 
tributed 6 percent of reported 
infections.^ Although no new 
statistics are currently avail¬ 
able, networking, enterprise 
computing, and inter-organiza¬ 
tional communications are 
growing. Accompanying the 
growth in telecommuting and 
networking is an increase in in¬ 
fections. 

Viruses are growing in com¬ 
plexity and variety. In 1986, 
there were just four known PC 
viruses. In today’s virus rich en¬ 
vironment, more than three 
viruses are created every day, 
for an average of 110 new virus¬ 
es created in a typical month. 
There are several variations of 
viruses, but there are only three 
ways that a virus can access a 
system. “Computer Viruses; 
Past, Present and Future” de¬ 
scribes these three methods as 
follows; 

File Viruses 

Most of the thousands of 
viruses known to exist are file 
viruses, including the Friday the 
13th virus. These viruses infect 
files by attaching themselves to 
a file, generally an executable 
file—the .EXE and .COM files 
that execute applications and 
programs. The virus can insert 
its own code in any part of the 
file, provided it changes the 
host’s code somewhere along 


the way, misdirecting proper 
program execution so that it ex¬ 
ecutes the virus code first, 
rather than the legitimate pro¬ 
gram. When the file is executed, 
the virus is executed first. 

Boot Sector / Parti¬ 
tion Table Viruses 
Although there are only 
about 200 boot sector viruses, 
they make up 75 percent of all 
virus infections. Boot sector 
viruses include Stoned, the most 
common virus of all time, and 
Michelangelo, perhaps the most 
notorious. These viruses are so 
prevalent because they are dif¬ 
ficult to detect. They do not 
change a file’s size or slow PC 
performance, so they are fairly 
invisible until their trigger 
event occurs. Events such as re¬ 
formatting a hard disk or scan¬ 
ning a disk serve as a trigger. 
The boot sector virus infects 
floppy disks and hard disks by 
inserting itself into the boot sec¬ 
tor of the disk, which contains 
code that is executed during the 
system boot-up process. Boot¬ 
ing from an infected floppy al¬ 
lows the virus to Jump to the 
computer’s hard disk. The virus 
executes first and gains control 
of the system boot program 
code even before the operating 
system (OS) is loaded. Because 
the virus executes before the OS 
is loaded, it is not OS-specific 
and can infect any PC operating 
system platform—MS-DOS, 
Windows, OS/2, PC-NFS, or 
Windows NT. The virus enters 
the random access memory 
(RAM) and infects eveiy disk 
that is accessed until the com¬ 
puter is rebooted and the virus 
is removed from memory. Par¬ 
tition table viruses attack the 
hard disk partition table by 
moving it to a different sector 
coiUinuBiJ on page 20 


Trojan Horse 

Like its classical namesake, the Tro¬ 
jan Horse virus typically masquerades 
as something desirable; e.g., a legiti¬ 
mate software program. The Trojan 
Horse generally does not replicate (al- 
thougli researchers have discovered 
replicating Trojan Horses). Rather, it 
waits until its trigger event and then 
displays a message or destroys files or 
disks. Alongside ^e Trojan Florse is the : 
Trojan Mule, which fools authorized : 
users into giving their LOGIN infonna- 
tion. passwords, and user-IDs. Once a 
user types in the valid user-ID/pass- 
word LOGIN information, the virus 
sends that information to the file im- 
plementers and displays a LOGIN error 
message. As tlie authorized user re¬ 
types the information, the virus has al¬ 
ready exited, the real LOGIN program 
regains control, and the user never sus¬ 
pects that LOGIN information has been 
revealed. The difference between the 
^yjfi^jan Horse and Trojan Mule, viruses 
’ is that tlie mule does not even try to 
perform a usefulduncti|)ri (e.g., game, 
application)/^d i|^j.sappears from the 
system olce ^^i lids work, whereas 
the horse rejp’Sns in the system until it 
is clea ^^w fc ■ • jiii;;, ■-'■d/:' 

Elfif-'"''cSle rWr iber s 
.-- '''These wr'uses infect files by linking 
themselves tb a program, keeping the 
originaTcode intact and adding them¬ 
selves to as many files as possible. In¬ 
nocuous versions of file over-writers 
may not be intended to do anything 
more than replicate but, even then, 
they take up space and slow perfor¬ 
mance. And because file over-writers, 
like most other viruses, are often 
flawed, they can damage or destroy 
files inadvertently. The worst file over¬ 
writers remain hidden only until their 
trigger events. Then they can deliber¬ 
ately destroy files and disks. 


continued on sidebar of page 20 
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s Viruses 
The re- 

|R3^]fus creatoi's 
,,ffi^^pla;yinjses into poly- 
Bn&. ensures that polymor- 
llfeiyi’nuses will only proliferate over 
kthie iiext few years. Like the human 
AIDS virus, which mutates frequently 
to escape detection by the body's de¬ 
fenses, the polymorphic computer 
virus mutates to escape detection by_ 
anti-virus software that compares if to 
an inventory of known viruses. Code 
within the virus includes an encrypt.vi 
tion routine to help the virus, •.biijS- 
from detection, plus a decryption foU--: 
tine to restore the virus to its original,; 
state when it executes. Pdlymorphic'/j I 
viruses can infect any type of host ■ 
software. Although polymoiphic file.f 
viruses are most common. polymoFi;|^ 
phic boot sector viruses have already i 
been discovered. 

Stealth Viruses 

These viruses are special| 
neered to elude detection ,by 
al anti-virus tools. The ,yt|^ 
adds itself to a file or'boo'fj 
when the host software-^ 
appears normal and unp 
stealth virus performs this i 
lurking in memory w'hen ib^^ps^t^ 
ed. There, it monitors and ihte^ept 
the OS’s calls. When the OS seefe' to® 
open an infected file, the stealth virus 
races ahead, disinfects the file, and al¬ 
lows the OS to open it all appears 
normal. When the OS closes the file, 
the virus reverses these actions, there¬ 
by re-infecting the file. Bool sector 
stealth viruses insert themselves in 
the system's boot sector and relocate 
the legitimate boot sector code to am. 
other part of the disk. When the sys-|,v- 
tern is booted, they retrieve the,,It " ' 
mate code and pass itrialij^jf 
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and replacing the original parti¬ 
tion table with the virus’ own 
infectious code. These viruses 
spread from the partition table 
to the boot sector of floppy 
disks as floppy disks are ac¬ 
cessed. 

Multipartite Viruses 

These viruses combine the 
ugliest features of both file and 
boot sector/partition table 
viruses. They can infect any of 
these host software compo¬ 
nents. And while traditional 
boot sector viruses spread only 
from infected floppy boot disks, 
multi-partite viruses can spread 
with the ease of a file virus—but 
they still insert an infection 
into a boot sector or partition 
table. This tendency makes 
them particularly difficult to 
eradicate. Tequila is an example 
of a multi-partite virus. 

Although there are only 
three ways to infect a system, 
there are hundreds of variations 
of viruses. The sidebars (pages 
17 through 21) contain descrip¬ 
tions of virus variations taken 
from “Computer Viruses: Past, 
Present and Future,” “Demysti¬ 
fying Computer Viruses,” and 
“Computer Security Basics.” 
This list is not all-inclusive, but 
it describes some of the com¬ 
mon variations to date. 

Viruses affect computers and 
networks differently. The pur¬ 
pose of most viruses is to re¬ 
main undetected, thereby al¬ 
lowing them to spread 
throughout the organization 
until they degrade performance 
or destroy data. Most viruses 
give no symptoms of their in¬ 
fection, thus driving the use of 
anti-virus tools. Anti-virus tools 
allow users to identify these 
quiet killers. However, many 
viruses are flawed and do pro¬ 
vide some tip-offs to their infec¬ 


Number 




tion. Here are some indications 
to watch for:® 

• Changes in the length of pro¬ 
grams 

• Changes in the file date or 
time stamp 

• Longer program load times 

• Slower system operation 

• Reduced memory or disk 
space 

• Bad sectors on the floppy 

• Unusual error messages 

• Unusual screen activity 

• Failed program execution 

• Failed system boot-ups when 
booting or accidentally boot¬ 
ing from the A: drive 

• Unexpected writes to a drive. 

This list of virus variations 
and symptoms is not all-inclu¬ 
sive. Additional information 
can be found at the following 
Web sites:^ 

• http://www.rootshell.com 
(exploits) 

• http://www.insecure.org/ 
sploits.html (exploits) 

• http://ciac.llnLgov/ciac/ 
ClACVirusDatabase.html 
(virus information) 

• http://www.snafu.de/ 
~ madokan/mvic/viruscont. 
html (virus creators) 

• http://www.symantec.com/ 
avcenter/index.html (virus 
information) 

• http://vil.mcafee.com (virus 
information) 

• http://www.virusbtn.com 
(virus information) 

The viruses discussed above 
are only the most common vari¬ 
ations of computer viruses and 
their symptoms. Computer 
viruses have cost companies 
worldwide nearly $2 billion 
since 1990, with those costs ac¬ 
celerating to $1.9 billion in 
1994. This cost is directly relat¬ 
ed to virus cleanup, not loss of 
profit. Profit loss caused by 
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viruses is impossible to calcu¬ 
late. Organizations are combat¬ 
ing the virus problem with anti¬ 
virus software. The cost of this 
software is expected to grow 
from $700 million in 1997 to 
$2.6 billion by 2001.= 

So what can an organization 
do to prevent computer viral in¬ 
fections, and what is the best re¬ 
sponse in the event of an infec¬ 
tion? These questions are best 
answered by analyzing a real 
event. This event is current and 
represents the best possible re¬ 
sponse to date by the Federal 
Government, DoD, and indus¬ 
try. As reported by SANS (Sys¬ 
tem Administration, Network¬ 
ing, and Security) Institute, the 
response of these organizations 
was “impressive.” 

Containing Contagion: 
A Case Stuciy 
History will remember sever¬ 
al notable landings: the landing 
of the lunar module on June 20, 
1969; the landing of ET the ex¬ 
traterrestrial in movie cinemas 
in 1982; the landing of Mark 
McGwire in record books with 
his 70th home run in Septem¬ 
ber 1998; and the landing of 
Melissa in commercial, mili¬ 
tary, educational, and home 
PCs on March 26, 1999. 

One might ask, “Who is Melis¬ 
sa?" The question is in fact, 
“What is Melissa?" Melissa is a 
virus, conceivably the fastest 
spreading virus PCs have seen 
since the infamous Morris 
Worm, which infected more 
than 6,000 computers in a mat¬ 
ter of hours (ftp://coast. cs.pur- 
due.edu/pub/doc/morris_wor 
m/GAO-rpt.txt) in November 
1988. By March 30, 1999, Melis¬ 
sa had successfully infected 
about 70,000 E-mails. It was the 
first virus to have prompted 
Federal law enforcement to 


send out a warning about com¬ 
puter viruses: the Federal Bu¬ 
reau of Investigation (FBI) 
joined with the National Infra¬ 
structure Protection Center 
(NIPC) to issue a warning in an¬ 
ticipation of the tidal wave of E- 
mails that Melissa was expected 
to generate. 

Melissa is a macro virus, 

which means that its infectious 
code is resident in a macro (a 
S 3 mibol, name, or key that rep¬ 
resents a list of commands, ac¬ 
tions, or keystrokes) contained 
in a Microsoft Word document 
(see right side bar). In Melissa’s 
case, the macro has instructions 
to disable macro detection ca¬ 
pabilities, read the first 50 
names in a recipient’s Microsoft 
Oudook address book, and for¬ 
ward itself as an attachment to 
those individuals, or groups of 
individuals. When this forward¬ 
ed E-mail message is received 
and opened, the macro begins 
again its cycle of E-mail genera¬ 
tion, thus bogging down and po¬ 
tentially crashing mail servers 
through its exponential rate of 
infection. This type of attack is 
known as a denial of service. 

While the shutdown of elec¬ 
tronic mail servers is destruc¬ 
tive enough, there is at least 
one other potentially hazardous 
result of this virus. Melissa is 
spread through a Microsoft 
Word document. However, this 
virus is constructed in such a 
way that it infects whatever 
document is open at the time 
the infected attachment is dis¬ 
played, and that document is 
the one that is forwarded with 
the virus. Imagine this sce¬ 
nario: You are typing a classi¬ 
fied document when you re¬ 
ceive Melissa. When you open 
the attachment, i.e., the macro 
virus, it now places itself on 
rnnlinued on poge 22 


accomplish Ihe bool. Under examina¬ 
tion, the boot sector appears normal, 
but the boot sector is not in its normal 
location. 

Macro Viruses 

Macros are, in essence, mini-pro- , 
grams that take much of the legwork 
out of repetitive or template-oriented 
documents. For example, to-minimize 
the work involved in typing the date in ^ 
correspondence, a user could program 
a macro to insert the day, month, and 
year all at once when the letter “D” is 
typed. Macro viruses are carried in the 
types of data files that business com¬ 
puter users most often exchange: word 
processed documents and spread¬ 
sheets. Also, because these data files 
are often exchanged by E-mail, they 
sometimes bypass the checks that 
virus-aware organizations already have 
in place; Experts estimate that 40 per¬ 
cent of virus attacks are made this 
vWay. Macro viruses are created with 
the aid of the macro routines con¬ 
tained within alinworcl.processing and 
spreadsheet^^pplidatioh software, such 
as Microsoft,;'^,r#‘'ahd Excel. They at¬ 
tach themgefyps to any document files 
that i^^plllhe macro code:.'so ihat 
the^^p|| 3 en,be executed through the 
appicatioJi; software.'The whole pur¬ 
pose of mapro languages is to insert 
useful functions into documents, 
which are then executed as the docu 
ments are opened. This is what makes 
macro viruses easy to w/rite. But one of 
the reasons they have become so 
prevalent is the success of Microsoft 
Office, which has 80 percent of the 
global market for integrated pack 
ages—a tempting target for macro 
virus writers. 

Memory-Resident 
Viruses 

The memory resident characteristic 
is the most common among viruses. 
When viruses load into memory via a 
host application, they remain in mem- 
or).' until the computer is turned off. At 
continued on the sidebar of page 22 
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this stage of'their existence, viruses 

boot sectors 
applica- 


>r^:-. Resident 
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se,Vu’usep can infect the system 
!^hiy.Wbeh the host application is run¬ 
ning. When hie host application is 
closed, the virus is closed down as 
well. Therefore, if applications are 
opened after a host application is 
closed, there is no danger of infecting 
the system with that specific virus at 
that time. V 

Companion Viruses , 

To understand this characteristic, it, 
is helpful to have a basic understands 
ing of the sequential order of how sys¬ 
tem files work. In launching an exe-^ 
cuiable file, either the user raanually.g^ 
issues a command or the interface ex-"- 
ecutes a command. Most applications , 
have a file-type (FT) extension of 
'■'.EXE. When invoking these .eh 
mands. the user or the compuj ' 
ters the name of the applicaJi 
out the extension. The')|^t 
e.xecutes other systerri 
same name before executif 
application’s FT. A com] 
creates a name that matcftbl 
file name but witli a diffen 
Sion (e.g., =‘\COM). The 
cutes; however, the *.COM’'(inf%te.i|i 
file) launches first and infects the %s- 
lem. Most antiviral software packages 
can identifv this characteristic. 



Bomb 

.'\ bomb is a type of Trojan Horse 
that is used to release a virus, a worm, 

01 ' some other system attack. It is ei- 
tfier an independent program or a 
piece of code that lias been planted by ,, 
a system developer or a prograpi[i;n|r)%''' 
A bomb works by triggering I 
kind of unauthorized action, wppn® 
particular date. time. pn^b^di|iQ|| 
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your already opened Word doc¬ 
ument and forwards THAT doc¬ 
ument to the first 50 addressees 
in your address book. 

Several aspects of this virus 
have helped its seemingly glob¬ 
al proliferation. One of the 
most significant aspects is its 
use of a user’s own address 
book to forward the infectious 
E-mail. This means that an or¬ 
dinary user, who would be sus¬ 
picious of E-mail from an un¬ 
known source, receives the 
virus as if a friend, co-worker, 
family member, etc. sent it, 
thereby instilling a false sense 
of security. In addition, this 
virus is spread with the help of 
Microsoft Word and Microsoft 
Outlook, two programs that are 
resident in a vast majority of 
PCs today due to the over¬ 
whelming popularity of Mi¬ 
crosoft Office.® 

The DoD’s and Services’ In¬ 
formation Assurance processes 
helped ensure that Melissa's im¬ 
pact on DoD and the Services 
was minimal. The Army began 
,, receiving the virus shortly be- 
I fore 5:00 p.m. on Friday, March 
I 26, 1999. Half an hour later, the 
Army Computer Emergency 
I Response Team (ACERT) began 
receiving notices from its Re¬ 
gional CERTs (RCERT), and by 
6:00 a.m., the virus had spread 
throughout DoD systems world¬ 
wide. 

Once users began receiving 
E-mail from known acquain¬ 
tances but with an “out-of-char¬ 
acter” attachment, they began 
contacting their local systems 
administrators who, in turn, 
alerted the ACERT at Ft. 
Belvoir, 'Virginia, and the tech¬ 
nical support staff at Microsoft 
(which created the software the 
virus was designed to run on). 
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and McAfee and Norton, two 
i anti-virus companies. After the 
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virus was discovered, a restric¬ 
tion was placed on the size of E- 
mail attachments. A message 
was distributed to all E-mail 
users, instructing them to not 
open attachments or enable 
macros in Microsoft Word docu¬ 
ments they received via E-mail 
unless they were sure of the 
document’s origin. 

Working in concert with in¬ 
dustry, Government officials 
were able to detect and attack 
the virus and implement fixes 
that were distributed to systems 
administrators and users in 
record time. RCERTs went to a 
heightened level of manage¬ 
ment and detection, and the 
Army Signal Command direct¬ 
ed the information manage¬ 
ment officials at 18 major facili¬ 
ties to scan E-mail servers using 
an application received from 
Microsoft and delete E-mail 
traffic infected with the virus. 
Throughout the night, ACERT 
coordinated reports, orchestrat¬ 
ed solutions to the virus with 
McAfee and Norton, and assist¬ 
ed system administrators with 
installing fixes. By Monday, 
March 29, 1999, the virus was 
contained and eradication was 
well on its way. This reaction 
established a process termed 
“Positive Control,” and the 
proactive efforts of all Involved 
made this rapid containment 
happen, along with the close 
cooperation with the software 
industry.'' 

Disinfecting Melissa was ac¬ 
tually a fairly simple process, 
even if labor intensive. Ordinar¬ 
ily, the fix would have merely 
involved retrieving the latest 
virus definitions from a rep¬ 
utable virus-scanning source, 
such as Norton or McAfee, and 
scanning client and server hard 
drives. The glitch in Melissa’s 
case was that these virus-scan- 
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ners were caught relatively off 
guard with this virus. Normally, 
anti-virus software companies 
know about new viruses long 
before they are released and, 
therefore, are able to release 
updated virus definitions to 
their clients before the danger 
arrives. For some reason, Melis¬ 
sa was kept under close wraps 
until its release on March 26. In 
the end, the damage caused by 
Melissa will be measured in the 
millions of dollars. But the 
lessons learned from this attack 
are being institutionalized. Con¬ 
tagion in cyberspace can be 
contained. A 
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cui-s, There are two types of bombs: 
Lime and logic. A time bomb is set to 
go off on a particular date or after 
some period of time has elapsed. The 
Friday the 13th virus was a Lime bomb. 
A logic bomb is one that is set to go off 
when a particular event OGCuis. Soft¬ 
ware developers have been/known: to 
explode logic bombs at key rhoments 
after installation—if. for example, tHe 
customer falls to pay a bill or tries to: 
make an illicit copy. 

Spoof 

This is a generic name for a pro¬ 
gram that tricks unsuspecting users 
into giving away privileges. Often, the 
spoof is perpetrated by a Trojan Horse 
mechanism in which an authorized 
user is tricked into inadvertently run¬ 
ning an unauthorized program. The 
program then takes on the privileges 
of the user and may run amok. 


.iSBCteria 

These are programs that do nothing 
but make copies of theniselves, but by 
doing so theyr/^lll eyentually use up all 
system rdso^^^istlfe., memory, disk 
space) 'J ■. 

S' 

,1’his is another name for rapidly re¬ 
producing programs. 


Crabs 

These programs attack the display 
of data on computer terminal screens. 


Salami 

Salami slices away (rather than 
hacking away) tiny pieces of data. For 
example, salami alters one or two 
numbers or a decimal point in a file, or 
it shaves a penny off a customer's bank 
interest calculations and deposits the 
pennies in the intruder's account. 
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Computing on the Virtual Border 

.edu 
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LTC Eugene K. Ressler, USA fi 
COL Clark K. Ray, USA | 

T he U.S. Military Academy 
(USMA) at West Point 
confronts a novel information 
age challenge—to balance the 
needs of a dynamic, technolo¬ 
gy-rich undergraduate experi¬ 
ence for 4,000 cadets with the 
availability, security, and inter¬ 
operability concerns for an en¬ 
terprise local area network 
(LAN) operating within the De¬ 
partment of Defense (DoD) 
network infrastructure. Despite 



Figure 1. Work at a Z-248, circa 1988. 

resource, technology, and cul¬ 
ture challenges, this balancing 
act has been unusually success¬ 
ful over an evolution spanning 
the 10 years since the USMA 
network was created in 1989. 
Perhaps surprisingly, cadets’ 
education benefits from the 
moderate discipline imposed 
by operating the network in ac¬ 
cordance with DoD require¬ 
ments and professional best 
practices. Typical university 
data networks, by contrast, op¬ 
erate as mostly unfettered ser¬ 
vices in which almost “any¬ 


thing goes" with regard to hard¬ 
ware, software, protocols, and 
modes of use. Although this ap¬ 
proach affords great individual 
freedom, its overall effect may 
be to reduce network useful¬ 
ness. Recent trends in campus 
computing seem to be drawing 
the rest of academe closer to 
the computing model em¬ 
ployed at West Point. 

West Point occupies a rare 
crossroads of “.edu” and “.mil” 
domains. This is literal in the 
sense that many network hosts 
have names in each domain. 
Browsing www.usma.army.mil 
will take a virtual visitor to the 
same place as www.usma.edu 
and www.westpoint.edu. The 
Academy is first and foremost a 
primary commissioning source 
for Army officers. It is an Army 
post, and the post network is an 
Army information system. “Dot 
mil” naming and conformance 
to DoD/Department of the 
Army (DA) standards is expect¬ 
ed and required. However, West 
Point is also a tier I, accredited 
academic institution with 
strong ties to the academic 
community for research and 
other professional exchanges. 
Military and civilian faculty 
members find that in some set¬ 
tings, an “.edu” address commu¬ 
nicates the seriousness with 
which the USMA views its role 
in undergraduate teaching, 
learning, and research. 

Attracting the best qualified 
of American’s high school grad¬ 
uating class each year is an es¬ 
sential aspect of the West Point 
program. Among bright, knowl¬ 


edgeable high school students, 
sophisticated technological in¬ 
frastructure is high on the list 
of criteria for college choices. 
After admission, cadet families 
expect and deserve electronic 
mail (E-mail) and other elec¬ 
tronic contact with their cadets. 
It follows that a principle of in¬ 
formation assurance (lA) at 
West Point is to support tech¬ 
nology programs and systems 
that meet the expectations of 
diverse clients outside the gate. 
Connecting with the American 
public is essential to fulfilling 
its institutional mission, so 
West Point can seldom afford to 
escape risk by reducing access. 

The military/educational du¬ 
ality continues inside the gate. 
Inquiry is the soul of learning, 
and inquiry has increasingly 
come to involve innovative 
uses of technology. The com¬ 
puting environment at West 
Point must provide cadet stu¬ 
dents and faculty members the 
freedom to experiment with 
hardware and software and to 
exchange information world¬ 
wide with great convenience 
while still providing informa¬ 
tion assurance. Cadets pur¬ 
chase their own computers and 
software much as they do text¬ 
books and other tools of the 
academic program, so they 
have a reasonable expectation 
of control over their computers’ 
configuration. On the other 
hand, the USMA network is a 
military facility where official 
business takes precedence. The 
Army reasonably expects to en¬ 
force usage policies and config- 
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uration management of net¬ 
work resources. 

To be sure, universities and 
colleges share many of USMA’s 
challenges. Although few have 
a dual presence on the Inter¬ 
net, each campus has business 
to conduct in security and with 
high reliability while also pro¬ 
viding academic freedom of in¬ 
quiry. Educating students on 
acceptable use of technology 
facilities is a shared concern. 
Students everywhere stay on 
the leading edge of new infor¬ 
mation services. Downloadable 
software of all varieties. 


pie, all cadet computers must 
currently run WindowsNT as 
their operating system when 
connected to the network, and 
except for selected individuals, 
users may not exercise full ad¬ 
ministrator privileges. 

Acceptance of these limita¬ 
tions is a modest sacrifice for 
the services provided in return: 
Internet and intranet access; 
shared files, printers, and pub¬ 
lic bulletin boards; and stan¬ 
dard directory and E-mail facil¬ 
ities. Configuration standards 
at West Point allow the orga- 


Computer Emergency Re¬ 
sponse Team [ACERT] alerts), 
software upgrades, and neces¬ 
sary configuration changes are 
dispensed each time cadets log 
in to their network accounts. 
Army intrusion detectors alert 
USMA technicians to Internet 
attacks on cadet computers. 
Teams are usually able to clear 
or repair any damage before 
the cadet knows what has hap¬ 
pened. The latest cadet com¬ 
puters include hardware fea¬ 
tures for central monitoring 
that have averted significant 
maintenance problems. 



music in “MP3” (com¬ 
pressed) form, and elec¬ 
tronic stock trading il- j 
lustrate developments i 
that have put college of- 
ficials in catch-up 
mode, deciding what 
students can properly 
and legally do, deter¬ 
mining their own legal 
and ethical institutional 
responsibilities, and fig- ^ 
uring out how to en¬ 
force their policies. 

USMA differs from its 
peer academic institu¬ 
tions in the way it con¬ 
fronts lA challenges. A 
key example is the 
USMA approach to stu¬ 
dent computing. Al¬ 
though cadets do own and pay 
for their computers, the config¬ 
uration is standard, chosen 


Figure 2. 'Epical cadet work space 
today. 


Technical support is 
another difference. 
Most American stu¬ 
dents come to college 
with a computer of their 
own choosing. To an un¬ 
comfortable degree, 
they must fend for 
themselves in solving 
software, hardware, and 
configuration problems. 
Some institutions are 
currently finding that 
students on stipend can 
fill some of this gap in 
technology support. 
West Point has made 
cadet Information Sys¬ 
tems Officers (ISO) part 
of the Corps of Cadet 
chain of command for 
more than a decade. A small 
team of government techni¬ 
cians mentors ISOs in a range 


through a “best value” competi- nized planning and delivery of of system administration tasks 

tive government solicitation, a wide spectrum of services, a considered to be second eche- 

with software installed in ad- range exceeding that at most Ion” support (forgotten pass- 

vance. Although some disk schools. A current project will words, installation of hardware 

space is reserved for cadets to provide each cadet with a high drivers, and the like). This 

configure however they reliability network home direc- structure provides an excep- 

choose, a precondition for tory that is Web-accessible via tional developmental experi- 

physical connection to the Hypertext Transfer Protocol ence for the ISOs and an effec- 

USMA network is use of a gov- (HTTP). lA measures, such as tive, zero-dollar (although not 

ernment-installed, controlled, antivirus software updates, op- zero person-hour) source of 

managed, and monitored oper- erating system patches (often support. Government and con- 

ating environment. For exam- issued in response to Army continued on page 26 
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tract personnel perform more 
sophisticated repairs. All cadets 
take a one-semester course in 
computing fundamentals in 
their first year. Additionally, 
each year as many as 20 per¬ 
cent of cadets select academic 
majors or sequences (minors) 
in disciplines directly related to 
information technologies, pro¬ 
viding a level of expertise to 
classmates who share their liv¬ 
ing areas not found at many 
other institutions. 

The ethical and moral as¬ 
pects of cadet development 
programs are another essential 
part of lA at West Point. Inside 
the West Point firewall, designs 
to safeguard systems and data 
are able to assume that mali¬ 


cious intent on the part of users 
is a rare^and readily punish¬ 
able-occurrence. Cadets are 
instructed to consider technol¬ 
ogy system abuses to be failings 
of personal conduct or ethics. 
In short, USMAs students are 
asked and required to be part of 
the lA effort. West Point s in¬ 
tranet security intends to “keep 
honest people honest” and to 
detect the occasional outlying 
bad behavior. On the other 
hand, most campus network 


designers frequently have no 
choice but to assume that many 
students will intentionally 
abuse institutional systems. 
The Athena project at the Mass¬ 
achusetts Institute of Technolo¬ 
gy (MIT) and the proliferation 
of virtual LANs and other elab¬ 
orate security control mecha¬ 
nisms on campuses stand as ex¬ 
amples. 

The upshot of USMAs meth¬ 
ods is better education and 
training for cadets. On any 
given day, approximately 99.6 
percent of cadet computers are 
available on the USMA net¬ 
work. At other institutions, the 
popularity of campus-wide stu¬ 
dent computer purchase pro¬ 
grams is growing. These often 


include limited standard con¬ 
figuration efforts. However, few 
published data measure overall 
availability statistics. Whereas 
most campuses sport an eclec¬ 
tic array of standards, West 
Point cadet, faculty, and staff 
computers run identical E- 
mail, office suite, mathematics, 
and multimedia software, al¬ 
lowing faculty members to give 
instructions and assignments 
that incorporate configuration 
details. Technology support 


and security costs are reduced, 
so available dollars can be fo¬ 
cused on improving capabili¬ 
ties rather than on security and 
middle ware. Although cadets 
do not have complete freedom 
to connect devices and run dis¬ 
approved software in the USMA 
network environment, cadets 
with bona fide educational 
needs to operate nonstandard 
configurations are able to do so 
in controlled circumstances 
under the guidance of a faculty 
mentor. 

The lessons of experience 
are somewhat counterintuitive. 
The military and government 
environment of education at 
West Point benefit its cadet stu¬ 
dents rather than detracting 
from their experience. A com¬ 
prehensive approach to lA for 
student computing is part of 
the solution, rather than a 
problem to be solved. % 
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In Pursuit of the "Trustworthy" 
Enterprise 

' I Mr. Sean P. O'Neil 


Editor’s Note: Inclusion of 
this product within the 
lAncwstetter does not consti¬ 
tute as an endorsement by 
lATAC or DoD. 

T oday's consumers may be 
immediately concerned 
with protecting their Visa card 
numbers during on-line pur¬ 
chases, and until just a few 
weeks ago, government infor¬ 
mation technology (IT) man¬ 
agers were primarily obsessed 
with exterminating the year 
2000 (Y2K) bug. However, indi¬ 
viduals in both private and pub¬ 
lic sectors feel growing appre¬ 
hension about security threats 
from the Internet. 

Shared Concerns—-in¬ 
side and Outside the 
Beltway 

Citizens and government 
managers alike recognize not 
only the potential dangers 
posed by hackers, computer 
virus writers, Web saboteurs, 
and other Internet attackers, 
but also the need to increase 
the soundness of overall Inter¬ 
net security infrastructure. 

Just as businesses and con¬ 
sumers are beginning to tap the 
Internet’s potential for electron¬ 
ic commerce (e-commerce) 
purposes, government agencies 
are leveraging the power of the 
Web to deliver enhanced ser¬ 
vices and information. Howev¬ 
er, with the efficiencies offered 
by the Internet come opportu¬ 
nities for disaster. As the world 
rushes into the Internet age, the 
opportunities for security 
breaches and cyber terrorism 
continue to escalate. 



The Internet opens the e- 
commerce door to millions of 
users, while simultaneously ex¬ 
posing Web sites and placing at 
risk invaluable corporate data, 
mission-critical business appli¬ 
cations, and consumers’ confi¬ 
dential information. Web-en¬ 
abling technologies also have 
the potential to compromise the 
integrity of government net¬ 
works and crucial defense re¬ 
sources. The Internet may soon 
serve, in effect, to launch com¬ 
mercial hijackings and cyber 
terrorism directed against the 
U.S. national infrastructures. 

A Real and Imminent. 
Danger 

According to the FBI, the av¬ 
erage American corporation 
will experience a major elec¬ 
tronic intrusion once every 2 
years. On the government side, 
the General Accounting Office 
has warned that federal govern¬ 
ment systems such as tax col¬ 
lection, national defense, and 
air traffic control networks may 
face serious threats of severe 
disruption unless adequate de¬ 


fense measures are quickly put 
in place. 

Fortunately, sophisticated 
tools are now available to pro¬ 
tect E-commerce transactions, 
IT assets, and network re¬ 
sources. The most powerful of 
these e-commerce security 
tools are equally effective in 
sensitive government IT envi¬ 
ronments—where property and 
lives are at stake, not just dol¬ 
lars and credit ratings. 

Computer Associates Inter¬ 
national, Inc., (CA) has devel¬ 
oped such a tool. Its eTrust se¬ 
curity solutions are used at 
government and commercial 
sites to safeguard information 
and maintain the integrity of 
vital enterprise resources. 
eTrust protects mission-critical 
IT resources and offers broad 
functionality, including risk as¬ 
sessment, attack detection, and 
consolidated administration of 
policy and audit trails. eTrust 
solutions can also be scaled to 
suit an environment of any size. 

Government agencies and 
commercial entities deploy 
eTrust as either stand-alone 
products or as a comprehensive 
security suite. eTrust was de¬ 
signed to be used with CA’s Uni¬ 
center TNG enterprise manage¬ 
ment solution, thus offering IT 
managers a consistent ap¬ 
proach to building, deploying, 
and managing security as part 
of the larger IT administration 
and control task. 

By supporting and exploiting 
security features of the OS/390, 

continued on page 28 
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UNIX, and Windows NT operat¬ 
ing systems and applications, 
eTrust’s open, expandable ar¬ 
chitecture allows organizations 
to leverage their existing tech¬ 
nology investments. Public key 
infrastructure (PKI), LDAP, and 
smart-card products are a few of 
the standards-based technolo¬ 
gies used by Global 2000 cus¬ 
tomers and government clients 
in conjunction with CA’s enter¬ 
prise management and security 
products. 

When the Firewalls 
Come Tumbling 
Down 

Together with network intru¬ 
sion detection systems, fire¬ 
walls have traditionally provid¬ 
ed first-level defense against 
external attacks. However, 
holes must be punched through 
firewalls to grant legitimate ac¬ 
cess to Web-enabled applica¬ 
tions. Implementing these ap¬ 
plications concurrently 

provides an opportunity for 
hackers to exploit application or 
server vulnerabilities and 
breach security controls. 

Equally disconcerting is the 
fact that moving to e-commerce 
and Internet-enabled environ¬ 
ments has done nothing to 
eliminate traditional security 
threats. On the contrary, these 
developments have escalated 
vulnerabilities by increasing 
the number of people with ac¬ 
cess to specific internal ser¬ 
vices. For these reasons, con¬ 
ventional security devices are 
no longer effective by them¬ 
selves. Simultaneously imple¬ 
menting several stand-alone se¬ 
curity tools is also ineffective 
because it results in a patch- 
work solution that leaves weak 
spots unprotected. 
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Protecting Against 
Security Threats on 
All Fronts 

Using eTrust, CA has part¬ 
nered with government and 
commercial customers to pro¬ 
vide a complete security solu¬ 
tion tailored to specific require¬ 
ments and organization goals, a 
solution that supports Internet 
use and also protects the infra¬ 
structure. Tight integration 
among eTrust offerings gives 
government agencies and busi¬ 
ness organizations enter¬ 
prisewide security and also al¬ 
lows them to adopt 
incrementally eTrust solutions 
that seamlessly work with one 
another. Solutions include— 

• eTrust Access Control, which 
provides policy-based control 
to determine who can access 
specific systems, what they 
can do with them, and when 
access is allowed 

• eTrust Admin, which simpli¬ 
fies user and resource admin¬ 
istration, reducing its com¬ 
plexity, expense, and suscep¬ 
tibility to error 

• eTrust Audit, which collects 
enterprisewide security and 
system audit information 

• eTrust Content Inspection, 
which safeguards systems 
connected to the Internet 
from malicious code attacks 

• eTrust Directory, which 
ensures high performance 
and reliability of critical 
directory service applications 

• eTrust Encryption, which 

seamlessly safeguards infor¬ 
mation against intrusion as it 
is transferred across a 
Transmission Control 

Protocol /Internet Protocol 
(TCP/IP) network 

• eTrust OCSPro, which pro¬ 
vides a scalable, distributed 
Online Certificate Status 
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Protocol (OCSP) responder 
implementation, giving client 
applications the current sta¬ 
tus of a digital certificate 
from a trusted authority in 
real time 

• eTrust Firewall, which con¬ 
trols Internet, intranet, and 
extranet access to mission- 
critical applications, exclud¬ 
ing unauthorized users 

• eTrust Intrusion Detection, 
which delivers advanced net¬ 
work protection and includes 
an integrated antivirus 
engine with automatic signa¬ 
ture updates 

• eTrust Policy Compliance, 
which enables organizations 
to protect against unautho¬ 
rized usage or attacks by 
identifying potential weak 
points in security policies, 
automatically generating cor¬ 
rections, and constantly mon¬ 
itoring the network 

• eTrust VPN, which delivers 
secure Internet communica¬ 
tions and safeguards all virtu¬ 
al private network (VPN) 
uses. 

CA also offers a Security In¬ 
tegrity Services (SIS) portfolio, 
which includes a complete 
range of consulting services for 
security assessment, policy de¬ 
velopment, product installa¬ 
tion, support, implementation, 
and outsourcing. For further in¬ 
formation on CA’s eTrust prod¬ 
ucts and services, see 
http: / /www. cai.com/ solu- 
tions/enterprise/etrust. ft 


Sean P. O’Neil is a freelance writer and 
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Communications, Inc. He holds an 
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a B.A. in English from State University of 
New York at Albany. He may be reached 
at spoemail@aoI.com. 
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Third International Information 
Hiding Workshop 


I ATAC recently attended the 
Third International Informa¬ 
tion Hiding Workshop in Dres¬ 
den, Germany. This workshop 
is the primary forum for scien¬ 
tists engaged in the field of In¬ 
formation Hiding techniques, 


including steganography and 
digital watermarking. The 
workshop focused on algo¬ 
rithms and techniques, rather 
than on systems and policy. 
The information presented at 
this workshop is intended to 


f Mr. Robert P. Thompson 
I Directoi; IMAC 

provide a comprehensive view 
of the current state-of-the-art in 
data embedding research. 

Conference sessions were 
separated into steganography 
and watermarking tracks. The 
steganography track was divid¬ 
ed into sessions on fundamen¬ 
tals, paradigms and examples, 
asymmetric steganography, en¬ 
gineering, and attacks. The wa¬ 
termarking track featured ses¬ 
sions on proofs of ownership, 
detection and decoding, water¬ 
marking techniques, protecting 
private and public watermark¬ 
ing information, new designs, 
robustness, and software and 
hardware protection. 

The steganography sessions 
illustrated that steganography 
research is improving, and cer¬ 
tain institutions are gaining ex¬ 
pertise, along with more opera¬ 
tional insight than is usually 
expected in academia. In gener¬ 
al, steganography is designed to 
make it more difficult to detect 
embedded data. Researchers 
and developers are beginning to 
make more realistic assump¬ 
tions about host data files; many 
are stating that initial assump¬ 
tions about Least Significant Bit 
(LSB) substitution appear to be 
false and the security of these 
techniques is questionable. Al¬ 
gorithm developers are paying 
more careful attention to where 
to hide data, focusing on areas 



Figure 1. Watermarking System 
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